Recognizing the different types of trusts including one- and two-way, as
well as transitive and nontransitive trusts

Identifying the levels of administrative grouping, including
organizational units, domains, trees, and forests

Windows 2000 utilizes a decentralized database in which all security
principles such as users, computers, and printers are registered in order to
provide centralized access and management of resources within a distributed
network environment. This database is referred to as the Active
Directory.

This chapter covers the physical and logical structure of Active Directory
deployment scenarios, as well as a basic understanding of the uses of each level
of grouping in the centralized administration over widely distributed
resources.

Active Directory Structure Overview

Users of Windows NT and earlier operating systems may be familiar with the
idea of a peer-to-peer network of computers, often referred to as a
workgroup. In a workgroup, each computer maintains its own list of users
and the access to local resources granted to each. None of the systems in this
configuration provide administration over the wholeall act as equals
(peers). Although this may work for up to 5 or 10 computers, the problems of
administration, configuration, and deployment of systems in larger
configurations mandate some form of centralized administration and
coordination.

Domain Controllers

In Windows NT, the concept of the domain was introduced. A domain is a
grouping of resources including computers, printers, groups, and users that are
maintained in a centralized database of resources located on a supervisory
machine called a domain controller(DC). In Windows NT, all
updates to this database occurred within one domain controller designated as the
primary domain controller(PDC), with all other domain controller
servers designated as backup domain controllers(BDCs). The backup
domain controllers receive updates to their local copy of the listing from the
primary domain controller on a regular schedule.

In order to provide support for larger-scale deployments in which the
security principles (such as users) in one domain may be granted access to
resources located in another domain, multiple domains can be joined via a
connection called a trust. Trusts will be covered in greater detail later
in this chapter in the section titled "Trusts."

The limitation of the NT domain system was that all updates to the database
had to occur on the primary domain controller, and only then would be propagated
out to all backup domain controllers on the next scheduled update cycle. This
can cause significant delays before changes are propagated to all remote backup
domain controllers, and may prevent changes outright if a network connection to
the primary domain controller is unavailable. Additionally, the process may be
somewhat bandwidth-intensive if a full-domain synchronization of domain
controllers is enacted, as the primary domain controller must update the local
copy of the domain database on all backup domain controllers throughout the
domain. This can prove to be a serious bottleneck when a deployment is
distributed over a large number of servers or a broad geographic area.